Data Processing Addendum
between Controller and Processor
This is an addendum to, is incorporated into, and forms part of the End User License Agreement between the customer and its affiliates (“Controller”) and codefortynine GmbH, Germany (“Processor”) (together, the “Parties”) entering into the “Main Agreement”.
Background
The Parties wish to amend the Main Agreement on the agreed terms set out below in order to specify the data protection obligations of the Parties arising from the data processing that is part of the Main Agreement. It applies to all activities related to the Main Agreement in which employees or agents of the Processor process personal data of the Controller.
Where Controller is subject to EU data protection laws, this Data Processor Addendum shall apply to the extent that Processor processes personal data on Controller’s behalf.
1. Definitions
1.1 The terms “process/processing”, “data subject”, “data processor”, “data controller”, “personal data”, “personal data breach”, and “data protection impact assessment” shall have the same meaning ascribed to them in Data Protection Laws;
1.2 “Addendum” means this Data Processing Addendum/DPA;
1.3 “Authorized Sub-processors” means (i) those Sub-processors set out in Annex 3 and (ii) any additional Sub-processors involved pursuant to section 6 and 10;
1.4 “Data Protection Laws” means in relation to any Personal Data which is processed in the performance of the Main Agreement the (i) General Data Protection Regulation (EU) 2016/679 (“GDPR”); (ii) EU Directive 2002/58/EC on privacy and electronic communications, as transposed into domestic legislation of each Member State; (iii) any other applicable statutory provisions regarding data protection law; and (iv) any applicable decisions, guidelines, guidance notes and codes of practice issued from time to time by courts, supervisory authorities and other applicable government authorities;
1.5 “EEA” means the European Economic Area;
1.6 “Personal Data” means the personal data described in Annex 1 (Details of Processing of Personal Data) and any other personal data processed by the Processor on behalf of the Controller pursuant to or in connection with the Main Agreement;
1.7 “Services” means the services described in the Main Agreement;
1.8 “Sub-processor” means any data processor (including any affiliate of the Processor) appointed by the Processor to process Personal Data on behalf of the Controller;
1.9 “Supervisory Authority” means (i) an independent public authority which is established by a Member State pursuant to Article 51 GDPR; and (ii) any similar regulatory authority responsible for the enforcement of Data Protection Laws;
1.10 “Processor” means the Licensor under the Main Agreement.
1.11 In consideration of the mutual promises set out in this Addendum, the parties agree to amend the Main Agreement as set out below.
1.12 Except as set out in this Addendum, all other provisions of the Main Agreement remain in full force and effect.
2. Processing of the Personal Data
2.1 The subject matter, duration, scope and type of data processing and confidentiality arise from the Main Agreement. The purpose of the data processing is to enable the provision of the Services in accordance with the Main Agreement.
2.2 Each party shall at all times in relation to processing connected with the Main Agreement comply with Data Protection Laws.
2.3 The types of Personal Data and the categories of data subjects are set out in Annex 1 (Details of Processing of Personal Data) to this Addendum.
2.4 The processing and use of the personal data shall take place in the territory of the Federal Republic of Germany, in a member state of the European Union or in EEA. Any relocation to a third country are governed by the provisions of this DPA as well as the statutory provisions.
3. Rights and Obligations of the Controller
3.1 The Controller is the responsible person within the meaning of Article 4 No. 7 GDPR. The assessment of the permissibility of the data processing is the sole responsibility of the Controller. According to section 4.6, the Processor shall be entitled to inform the Controller of any data processing operations that are illegal in his opinion.
3.2 The Controller must check that the technical and organizational data security measures taken by the Processor are complied with before data processing begins and regularly afterwards. The Controller shall document the result of such check in a suitable manner. The Controller shall be responsible that these measures provide an appropriate level of protection for the risks of the data to be processed.
3.3 The Controller shall be entitled to issue instructions on the type, scope and procedure of data processing. All instructions shall be documented. The Processor shall be entitled to refuse the execution of an oral instruction until it has been confirmed in writing.
3.4 If an instruction change, cancel or supplement the stipulations made in Annex 1, they shall only be admissible if a corresponding new stipulation is made.
3.5 The persons authorized by the Controller to give instructions are the contacts listed at my.atlassian.com for the respective product identified by the SEN (Service Entitlement Number). Instructions are to be transmitted by email to support@codefortynine.com.
3.6 In the event of changes to the persons authorized to issue instructions or an extended incapacitation for work of such persons, the Controller shall notify the Processor accordingly in writing and without undue delay.
3.7 The provisions in the Main Agreement concerning any compensation for additional expenses incurred by the Processor as a result of supplementary instructions from the Controller shall remain unaffected.
3.8 The Controller shall inform the Processor immediately if it detects errors or irregularities in an examination of the data processing.
3.9 In the event that there is an obligation to provide information to third parties pursuant Data Protection Laws (e.g. Articles 33, 34 GDPR), the Controller shall be responsible for compliance therewith.
3.10 The Controller shall ensure that all data subjects of the Personal Data have been or will be provided with appropriate notices and information to establish and maintain for the relevant term the necessary legal grounds under Data Protection Laws for transferring the Personal Data to Processor to enable Processor to process the Personal Data in accordance with this Addendum and the Main Agreement.
4. General Obligations of the Processor
4.1 The Processor processes personal data exclusively within the scope of the Main Agreement made and in compliance with documented instructions issued by the Controller. The purpose, type and scope of data processing shall be governed exclusively by this Addendum, the Main Agreement and/or documented instructions of the Processor.
4.2 The Processor undertakes to inform the Controller in writing, stating name, organizational unit, function and phone number, of the persons authorized to accept instructions from the Controller or to act as contact persons. In the event of changes to the persons authorized to accept instructions or an extended incapacitation for work of such persons, the Processor shall notify the Controller accordingly in writing and without undue delay.
4.3 The Processor shall inform the Controller immediately if, in the Processor’s opinion, an instruction issued by the Controller violates Data Protection Laws. The Processor shall be entitled to suspend the execution of the corresponding instruction until it has been confirmed or changed by the responsible person of the Controller.
4.4 If the Services are made impossible or substantially impeded by an instruction of the Controller or if the Customer requests the deletion of Personal Data before the end of the Main Agreement and the Processor is prevented in whole or in part from the further provision of the Services on the basis of the deletion, the Processor shall be released from its obligations to provide the Services to this extent. The Processor’s claim to the agreed remuneration shall remain unaffected.
4.5 If the Processor’s expenditure necessary for the provision of the Services increases due to an instruction of the Controller, the contractor can demand a corresponding adjustment of the agreed remuneration. The Processor shall inform the Controller of the additional costs prior to the execution of such instruction. The Controller shall be entitled to withdraw the instruction so that no additional costs are incurred.
4.6 Taking into account the state of the art, the implementation costs and the nature, scope, context and purposes of the processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the Processor shall implement appropriate technical and organizational measures to ensure a level of data security appropriate to the risk compliant with the legal requirements. The specific measures are set forth in Annex 2. The technical and organizational measures are subject to technical progress and further development. In this respect, the Processor is permitted to implement alternative adequate measures. The security level of the defined measures may not be undercut. Material changes shall be documented. With regard to the protection purposes of the data processed, the Controller has checked the measures set forth in Annex 2 before conclusion of this Addendum contract and assessed them as sufficient.
4.7 Upon request, the Processor shall provide reasonable support to the Controller for a data protection impact assessment.
4.8 Upon request, the Processor shall cooperate with the supervisory authority in the performance of its duties. The Processor shall inform the Controller without undue delay about control actions and measures of the supervisory authority, insofar as they relate to the processing of the Controller’s Personal Data.
4.9 Insofar as the Controller is subject to inspection by the supervisory authority, administrative offence or criminal proceedings, a liability claim of a data subject or any other claim in connection with the processing of the Personal Data by the Processor, the Processor shall support the Controller to the best of his ability.
4.10 The Processor shall be obliged to immediately notify the Controller of any violation of Data Protection Laws, the Main Agreement, this Addendum and/or the instructions issued by the Controller in the course of the processing of the Personal Data by the Processor or other persons involved in the processing.
4.11 The Processor shall assist the Controller in ensuring compliance with the obligations pursuant to Articles 32 to 36 GDPR, taking into account the nature of the processing and the information available to the Processor.
4.12 The Processor shall make available to the Controller all information necessary to demonstrate compliance with the obligations laid down in Article 28 GDPR and allow for and contribute to audits, including inspections, conducted by the Controller or another auditor mandated by the Controller.
4.13 The Processor shall be obliged to immediately forward to the Controller any complaints and submissions received in connection with this Agreement.
4.14 If the Personal Data are endangered by seizure or confiscation, by insolvency or by other events or measures of third parties, the Processor shall immediately inform the Controller thereof. The Processor shall immediately inform all such third parties that the ownership of the Personal Data lies exclusively with the Controller as the “controller” within the meaning of the GDPR.
5. Processor Personnel
5.1 The Processor shall treat all Personal Data as strictly confidential and shall inform all its employees, agents and/or Authorized Sub-processors engaged in processing the Personal Data of the confidential nature of such Personal Data.
5.2 The Processor shall take reasonable steps to ensure the reliability of any employee, agent and/or Authorized Sub-processor who may have access to the Personal Data, ensuring in each case that access is limited to those persons or parties who need to access the relevant Personal Data, as necessary for the purpose set out in section 2.1 above in the context of that person’s or party’s duties to the Processor.
5.3 The Processor shall ensure that all such persons or parties involved in the processing of Personal Data are subject to confidentiality undertakings or are under an appropriate statutory obligation of confidentiality.
5.4 The Contractor warrants that it will familiarize its employees processing the Controller’s Personal Data with the Data Protection Laws.
6. Sub-Processing
6.1 As at the date of the conclusion of this Addendum, the companies listed in Annex 3 are acting as subcontractors for partial services for the Processor and in this context may also have access to the Personal Data. The Controller hereby authorizes the Processor to engage these subcontractors.
6.2 The Controller agrees that the Processor may engage other subcontractors. The Processor shall inform the Controller at least 30 days before the subcontractors are engaged. The Controller shall be entitled to object to the engagement of further subcontractors till the end of this time period, provided that there is an important data protection reason for such objection. If there is no objection, the consent to the engagement of the subcontractor shall be deemed to have been given.
6.3 If the Processor engages subcontractors with the Controller’s consent, the Processor shall be obliged to transfer its obligations under this Addendum to the subcontractor. This shall apply in particular to confidentiality, data protection and data security requirements. The Processor undertakes to obligate the subcontractors in text form to secrecy and confidentiality with regard to the Personal Data.
6.4 An audit by the Controller at the subcontractor’s premises shall only take place in coordination with the Processor. By written request, the Controller shall be entitled to obtain information from the Processor about the subcontractor’s data protection obligations, if necessary also by inspecting the relevant text passages of the contractual documents.
6.5 Controller agrees that when the Processor engages a Subprocessor for the provision of Services and those involve a transfer of personal data within the meaning of Chapter V of the GDPR, the Processor and the Subprocessor can ensure compliance with Chapter V of the GDPR e.g. by using the SCCs.
7. Data Subject rights
7.1 If and to the extent the Controller is obliged to provide a data subject with information on the collection, processing or use of its personal data pursuant to Data Protection Laws, the Processor shall support the Controller in providing this information. This presupposes a written request by the Controller and the Customer reimbursing the Contractor for the costs incurred by this support.
7.2 If a data subject turns to the Processor with claims for information, correction, deletion or blocking of its personal data, the Processor shall refer the data subject to the Controller.
8. Deletion or return of Controller Personal Data
8.1 The Processor corrects, deletes or blocks the Personal Data if the Controller instructs so. The destruction of data carriers and other materials in accordance with Data Protection Laws shall be undertaken by the Processor on the basis of an individual order by the Controller, unless already agreed in the Main Agreement.
8.2 Personal Data, data carriers and all other materials shall either be surrendered or deleted at the Controller’s request at the end of this Addendum. This does not apply to Personal Data and other materials for which statutory provisions or contractual agreements between the Parties require retention or to documentation which serves as proof for the Processors compliance with the contractual agreements between the Parties and Data Protection Laws. If additional costs are incurred by the Processor as a result of deviating specifications for the surrender or deletion, these shall be borne by the Controller.
8.3 Irrespective of other provisions on deletion, the Personal Data in the backup systems and files will be deleted in accordance with the regular deletion cycle of these backups.
9. Audit rights
9.1 The Processor shall make available to the Controller on request all information necessary to demonstrate compliance with this Addendum and Data Protection Laws.
9.2 The Controller shall be entitled, at any time after prior agreement with the Processor, during normal business hours and without disrupting the course of operations, to check compliance with the Data Protections Laws, this Addendum and/or instructions of the Controller to necessary extent, in particular by obtaining information and inspecting the stored data and data processing programs.
9.3 The audit may only be performed by a person who is under a special obligation towards the Processor as well as the Controller to maintain secrecy, in particular with regard to information about the Processor’s operations, its equipment, the Processor’s business secrets and security measures. If the audit is not carried out by a person, whose compliance with this requirement is already known to the Processor, this person must prove its legitimation in writing or by fax at least 7 working days before the audit is to be carried out.
9.4 Each party bears its own costs in connection with such an audit.
9.5 The Controller shall inform the Processor immediately, if the Controller discovers errors or irregularities in the course of such audits or in any other way.
9.6 Other contractual or statutory control rights of the Controller shall remain unaffected.
10. International transfers of Personal Data
10.1 As at the date of this Addendum, the Controller hereby authorizes the Processor to engage those sub-processors set out in Annex 4.
10.2 The Processor shall not process the Personal Data nor permit any Authorized Sub-processor to process the Personal Data in a country outside of the EEA without an adequate level of protection and compliance with Data Protection Laws.
10.3 To the extent that the transfer of Personal Data involves a transfer that is subject to Data Protection Laws outside of the EEA (or a territory deemed by the European Commission to have adequate levels of protection pursuant to Article 45 of the GDPR), the standard contractual clauses annexed to the European Commission’s Decision (EU) 2021/914 of 4 June 2021 shall apply with Controller as “data exporter” and Processor as “data importer”.
For the purposes of the EU SCCs:
(i) the module two (controller to processor) terms shall apply;
(ii) Clause 7 shall be deleted;
(iii) in Clause 9, Option 2 shall apply with the specification, that the specify time period shall be 30 days.
(iv) in Clause 11, the optional language shall be deleted;
(v) in Clause 17, Option 1 shall apply and the EU SCCs shall be governed by German law;
(vi) in Clause 18(b), disputes shall be resolved before the courts of Germany;
(vii) the Annexes of the EU SCCs shall be populated with the information set out in the Annexes to this Addendum.
11. Liability
The Processor shall be liable in accordance with the statutory provisions of Art. 82 GDPR.
12. Costs
Each party bears its own costs in meeting the Controller’s requests made under this addendum.
13. Term and termination
13.1 The term and periods of notice correspond to the Main Agreement.
13.2 Upon termination of the Main Agreement, this Addendum shall terminate automatically without the need for a separate notice. The obligations arising from this Addendum shall in any case also apply after termination of the Main Agreement until complete destruction or return of all Personal Data by the Processor.
13.3 Upon termination of this Addendum in accordance with this section 8, the Processor’s activities on behalf of the Controller shall end.
14. Miscellaneous
14.1 With regard to the subject matter of this Addendum, in the event of any conflict or inconsistency between any provision of the Main Agreement and any provision of this Addendum, the provision of this Addendum shall prevail.
14.2 Should individual parts of this Addendum be invalid, this shall not affect the validity of the remainder of this Addendum.
14.3 German law shall apply to the exclusion of its conflict of laws provisions.
14.4 The exclusive place of jurisdiction for all disputes arising from or in connection with this agreement shall be the registered office of the Controller.
14.5 The Annexes are an integral part of this Addendum:
Annex 1 – Types of Personal Data and categories of data subjects
Annex 2 – Technical and organizational measures
Annex 3 – Authorized Sub-processors
Annex 4 – Authorized Sub-processors outside the EEA
Annex 1 – Types of Personal Data and categories of data subjects
The types of Personal Data to be processed:
The Controller may submit personal data to the Services, the extent of which is determined and controlled by the Controller in its sole discretion, and which may include, but is not limited to the following categories of personal data:
First and last name
Title
Contact information (e.g. company, email, phone, physical home address, physical business address)
Personal life data (e.g. date of birth, gender)
Credentials (e.g. usernames, passwords)
Session data (e.g. IP-address, date and time of requests)
The categories of data subjects to whom the Personal Data relates:
The Controller may submit Personal Data to the Services, the extent of which is determined and controlled by the Controller in its sole discretion, and which may include, but is not limited to Personal Data relating to the following categories of data subjects:
Customers
Interested Parties
Employees
Suppliers
Agents
Annex 2 – Technical and organizational measures
1. Measures for pseudonymisation and encryption of personal data
Secure data transfer (SSL, FTPS, TLS etc.)
Secured wireless network
2. Measures for ensuring confidentiality and integrity
Access control – no unauthorized physical access to data processing systems
Key Management and documentation
Access control – no unauthorized system use, reading, writing, copying, modifying, removing of personal data within the system
Password authentication/two-factor authentication
Secure passwords/password requirements
Up-to-date software versions
Transfer control – no unauthorized reading, writing, copying, modifying, removing of personal data during electronic transmission
Determination and documentation of recipients
Encryption of data carriers and connections
Separation control – ensuring that data collected for different purposes can be processed separately
Logical separation of the data (software-side)
Separation of productive and test system
3. Measures to ensure the availability and resilience of the systems
Availability control – protection against accidental destruction or loss of personal data –
Back-up strategy (online/offline, onsite/offsite)
Uninterruptible power supply
4. Procedures for the regular review, evaluation and evaluation of the effectiveness of technical and organizational measures
Order control – order processing only in accordance with the instructions of the client – the
Written definition of the instructions
Privacy friendly presets (privacy by design)
5. Accompanying measures:
Data protection at employee level:
Confidentiality / non-disclosure obligation
Regulations for the use of the internet/e-mail in companies
Annex 3 – Authorized Sub-processors
(None within the EEA, for Sub-processors outside the EEA see Annex 4)
Annex 4 – Authorized Sub-processors outside the EEA
Amazon Web Services, Inc.
Atlassian Pty Ltd
Google LLC
Segment.io, Inc.
The Rocket Science Group LLC (Mailchimp)